What Kaspersky really discovered...

00:00

it's the morning of May 12th 2017 nothing  seems out of the ordinary as you wake up  

00:05

and start your day that is until you go to  turn on your computer and are greeted with

00:10

this you find a prompt from a program called  wanted a crypter informing you that all of your  

00:31

data has been encrypted with the decryption Keys  being held for ransom if you want your data back  

00:36

you have 3 days to pay the initial Ransom of  $300 at which point you'll be raised to $600  

00:43

if no payments are made after a week your files  will be permanently lost you just became one of  

00:48

the first victims of a worldwide Cyber attack  known as W cry amid the Panic unbeknown to you  

00:54

monoc cry just spread to all the other devices  on your network after infecting a computer it  

01:00

a fully autonomous self-replicating mechanism  that enables it to silently spread across  

01:04

networks without requiring any user interaction  this makes it a computer worm which by Design  

01:11

will self- multiply and propagate itself at  an exponential rate at 744 UTC the first case  

01:17

was identified at a Southeast Asian ISP  shortly after cases were starting to be  

01:23

identified globally a mere 5 hours after the  first case 72% of isps in Asia were infected  

01:30

despite the discovery of a kill switch by a  British security researcher the damage was already  

01:35

done within a single day over 230,000 computers  across 150 different countries were infected  

01:42

with damages ranging from hundreds of millions to  billions of dollars the National Health Service in  

01:48

the UK was among the largest agency struck with  up to 70,000 devices affected certain locations  

01:54

had to turn away emergency patients and various  ambulances had to be diverted to other hospitals  

02:00

in December 2017 the United States formally  asserted that North Korea was behind the attack  

02:06

later indicting three North Korean officials  North Korea denied any involvement as laid out  

02:13

in today's indictment North Korea's operatives  using keyboards rather than guns stealing digital  

02:19

wallets of cryptocurrency instead of sacks  of cash have become the world's leading bank

02:24

robbers as the chaos was settling about a month  after the wry outbreak a series of powerful  

02:33

cyber attacks using the not Pia malware were  Unleashed during the 2017 Ukraine ransomware  

02:39

attacks although it was mistaken for ransomware  at first it was quickly realized to be a disc  

02:44

wiper designed to cause maximum damage to its  targets despite only having a single day to  

02:49

spread damages were estimated to be over10 billion  becoming one of the most devastating cyber attacks  

02:56

in history the United States claimed Russia was  behind the attack back indicting a total of six  

03:01

Russian officials Russia denied any involvement  in the coming months several other cyber attacks  

03:08

arose globally the United States continued to make  indictments something seemed to be tying these  

03:14

together why were the most severe cyber attacks  in history suddenly happening all at once and just  

03:20

as importantly why were they all computer worms  it turns out that they were all using the same  

03:25

exploit Eternal blue surprisingly Eternal blue was  developed by the National Security Agency a branch  

03:32

of the United States Department of Defense within  the NSA the specific unit is known as the equation  

03:38

group a threat actor kaspersky describes as  surpassing anything known in terms of complexity  

03:44

and sophistication of techniques several years  prior to the attacks Eternal blue was developed  

03:50

as part of a collection of exploits known as the  Eternal exploits which targeted Microsoft's SMB  

03:56

V1 protocol SMB or server message block is one of  the most widely used communication protocols in  

04:02

the world it is primarily used for file sharing  and print services on Windows computers and  

04:08

servers among other devices a vulnerability in  SMB lends itself perfectly to a computer worm  

04:14

as it is already extensively used across home  and Enterprise networks with Port 445 left open  

04:20

for legitimate SMB traffic on top of this it  was enabled on systems by default at the time  

04:27

the NSA rather than informing Microsoft about  the vulnerabilities decided to keep them under  

04:32

wraps for several years this was until the  NSA themselves were hacked by a group called  

04:37

The Shadow brokers in 2016 the shadow broker  stole a collection of exploits from the NSA  

04:43

and attempted to auction them off online unsure of  the legitimacy of such claims there were no bits  

04:49

when the NSA realized that they were breached they  ended up informing Microsoft to release a patch on  

04:54

March 14th 2017 a month later on April 14th the  the shadow Brokers decided to publicly release  

05:01

the exploits free of charge the dump included the  infamous Eternal blue exploit alongside the rest  

05:07

of the Eternal exploits an exploitation  framework a command and control solution  

05:12

and a backdoor implant for use after an initial  exploitation with all these exploits and tools now  

05:18

publicly available various threat actors began to  incorporate them into their own malware not even a  

05:24

month later Wan cry took hold of the world despite  a patch technically being released 2 months prior  

05:30

the countless number of individuals and  organizations that don't regularly update  

05:34

their OS were left exposed now that we understand  the source and significance of Eternal blue  

05:39

let's take a look under the hood and see how it's  actually able to fully compromise a remote system  

05:44

without any user interaction rather than being a  single exploit Eternal blue is an exploit chain  

05:50

leveraging three different underlying bugs the  first two bugs work together to induce a buffer  

05:55

overflow while the third bug enables us to force  a memory allocation of arbitrary size while these  

06:01

bugs may seem obscure in isolation they all come  together in the end during the exploitation phase  

06:07

using a technique known as Heap grooming or as I  like to call it Heap Fang what makes Eternal blue  

06:13

especially impressive is that it injects its  chosen payo directly into smb's memory space  

06:18

running entirely within the SMB process on  the target machine this makes it exceedingly  

06:23

difficult to detect as it doesn't create any new  processes but I digress to understand the exact  

06:29

mechanics at the heart of Eternal blue let's  start by taking a look at the SMB protocol  

06:35

similar to other protocols communication within  SMB takes the form of requests and responses being  

06:40

exchanged between two devices the specific unit  of information being exchanged is called an SMB  

06:45

message also referred to as an SMB packet these  packets are divisible into three parts being the  

06:52

header block parameter block and data block the  header block contains a field for the SMB command  

06:58

which is used to specify the type of operation  such as creating reading or deleting a file  

07:04

when dealing with operations pertaining to files  you may encounter the case where extended file  

07:08

attributes or fees are used a fee is just a way to  store metadata associated with a file beyond the  

07:15

standard attributes defined by the file system  itself each fee takes the form of a key value  

07:21

pair alongside their respective sizes the exact  implementation and format of these key value pairs  

07:27

varies by operating system for instance os2 and  the Windows NT family have different fee formats  

07:35

since SMB is compatible across different operating  systems it's possible to get into a case where os2  

07:41

formatted fees need to be cast to NT formatted  fees the first bug that Eternal blue exploits  

07:47

is the wrong casting bug where a buggy casting  operation is used to cast os2 fees to NT fees  

07:54

which causes a buffer overflow in the non-paged  kernel pool just as an aside the non-paged pool  

08:00

is just a memory pool that is designated to remain  on the physical RAM this is opposed to the paged  

08:06

pool which can spill over from the physical RAM  onto a slower page file on the disk but I digress  

08:12

in order to see how this buggy casting operation  is able to cause a buffer overflow we first need  

08:17

to understand how these fees are represented in  code os2 fees actually require the use of two  

08:23

structures each individual fee is represented with  an os2 fee structure multiple of these are store  

08:29

together using an os2 fee list which combines them  all together and stores the total size of the list  

08:35

in bytes NT fees on the other hand use a structure  called NTV list which are chained together backto  

08:43

back in memory this approach is known as an offset  based linked list each instance represents a  

08:49

single fee with the next entry offset field being  used to tell where the next instance is located in  

08:54

memory relative to the current one to navigate the  notes in the list you would keep on on adding the  

09:00

offset to the current nodes memory address until  you reach the end now that we know how these two  

09:05

different types of fees are represented let's see  what happens when we get into the case where we  

09:09

need to cast an os2 fist to an NT fist the serve  os2 fist to n function will be used let's take a  

09:18

look inside just to be clear the purpose of this  function is to create an N fist given an os2 fist  

09:25

in order to do this we first need to determine the  appropriate size for the student to be created to  

09:30

NT fist which is done with the serve os2 fist size  to NT helper function then we'll use the size that  

09:37

this function returns to allocate a buffer in  the non-paged pool for the new NT fist once the  

09:43

allocation is made the last step is to convert  and add the individual fees from the os2 Feist  

09:49

to the NT Feist this is done by iterating over  the individual os2 fist entries until it reaches  

09:56

size of list in bytes within each iteration it can  converts the os2 record to the NT format and adds  

10:02

it to the NT fist it's important to note that the  size of list in byes field is used to determine  

10:07

how much underlying data is transferred into  the NT fist now that we know that there's three  

10:12

different steps let's go ahead and look at them  in more detail starting with the serve os2 fist  

10:17

size to NT function this function actually does  two distinct things first it calculates the size  

10:24

needed for the NT fist this is the return value of  the function which is used to allocate the buffer  

10:29

as we just saw the second thing it's going to  do will only happen on a specific Edge case  

10:34

in response to a malformed SMB packet because  the size of list in byes field doesn't actually  

10:40

restrict the SMB packet size it's possible to  carefully craft a packet with some amount of  

10:45

fees that actually extend past whatever value is  set as the size of list in bytes this would be a  

10:51

malformed packet why the function doesn't just  drop these malformed packets as anyone's guess  

10:57

instead what it does is it shrinks the size of  list in byes value down to the nearest inbounds  

11:02

fee this new value that it calculates overwrites  the original size of list in bites value even  

11:08

though this may seem like weird Behavior it's  not inherently dangerous some fees may be lost  

11:13

during the casting process but that's about it  so where exactly does this bug lie recall that  

11:19

under normal circumstances with an intact SMB  packet nothing is modified only with a specific  

11:25

Edge case with overflowing fees will size of  list in bytes be shrunk let's take a look at  

11:30

how it is shrunk basically size of list in bytes  is defined as a u long which takes up the size  

11:37

of a d-word this is a 4 byte value the function  that's run to overwrite the size treats it as a  

11:43

u short which takes up the size of a word this is  a two byte value this mismatch is the basis of the  

11:50

first bug this means that if shrinking is needed  the two least significant bites will be modified  

11:56

while the two most significant bites will remain  untouched due to the fact that the function treats  

12:01

a 4 byte dword as a two byte word this means that  if size of list in bytes is less than 2 to the 16  

12:08

meaning it fits entirely within the range of the  two rightmost bytes known as the low dword it will  

12:14

be shrunk as expected however if it is greater  than 2 to the 16 and spans both the high dword  

12:20

and low dword the function will only affect the  low DW leaving the high dword intact because of  

12:27

this depending on the exact value being used size  of list in bytes may be enlarged instead of shrunk  

12:34

let's see how much damage this can actually  cause zooming back out to our casting process  

12:38

at a high level recall that the last step in the  casting process will iterate over each os2 fee in  

12:45

the os2 fee list converting and appending it to  the NT fee list until it reaches size of list in  

12:51

bytes everything contained within this area is  set to be copied over into the NTI fist buffer  

12:57

when creating this carefully crafted packets the  size of Liston byes field is going to be set to a  

13:03

controlled value larger than 2 to the 16 in hopes  of triggering the bug that mistakenly enlarges it  

13:09

due to the enlargement of this field the area to  be copied over is increased throughout this entire  

13:15

process up until this point I left out a key piece  of information about the specially crafted packet  

13:21

when we created this packet we actually would  have placed some unrelated attacker chosen data  

13:26

directly following the fist keep it in mind  that despite the size of list in bytes being  

13:31

wrongfully enlarged the size for the newly created  nist buffer is calculated correctly because of  

13:38

the enlarged value of size of list in bytes the  area to be copied over is now larger than the NT  

13:43

Feist buffer size itself meaning more data will be  copied over than can fit within the buffer this is  

13:50

known as an outof bounce right in addition to all  of the fees being copied over the arbitrary data  

13:56

that we included within our malformed packet will  also be copied over as well so long as it fits  

14:01

within the area marked by size of list in bytes  in short bug a achieves an outof bounds right  

14:07

of arbitrary data past the bounds of the NT fist  buffer which resides within the non-paged kernel  

14:13

pool the important takeaway here is that if there  was anything else directly following the NTI fist  

14:19

buffer in memory it would be overwritten with  this attacker injected data keep this in mind  

14:25

for later in the attack so far this makes sense  however you might have been wondering exactly  

14:30

why a field defined as a u long is treated as  a u short it's actually bug b that makes this  

14:36

happen you need both bug A and B to pull off this  outof bounds right successfully within SMB there's  

14:43

several commands that can be used for file related  operations SMBC transaction 2 and SMBC NT transact  

14:51

are two relevant examples of such commands if  the amount of data that needs to be transmitted  

14:56

exceeds the maximum within a single SMB pack  packet it may be broken up into multiple packets  

15:02

each command has a corresponding subcommand ending  in underscore secondary which makes it possible to  

15:07

send two packets back to back with the secondary  packet containing the remaining data that couldn't  

15:13

fit within the primary packet it's important to  note that the trans 2 request defines its fields  

15:18

in word sizes whereas the NT trans request defines  its fields in dword sizes bear with me on this  

15:26

there is no validation enforcing that multiart  transactions must be of the same type meaning  

15:31

it's possible to send mismatching primary and  secondary commands what we're going to do is send  

15:37

an NT trans followed by a trans 2 secondary which  will be traded and parsed as a valid two-part  

15:43

transaction even though this will be accepted  as a valid transaction we know that these two  

15:48

transaction types will use different field sizes  The Fault in SMB is that it doesn't take into  

15:53

account that different transaction types may be  used together despite having different field sizes  

15:59

as a result the field size of the last transaction  type will be used for parsing all of the packets  

16:06

this means that the primary ENT trans packet  that uses d-word sizes will be treated as if  

16:11

it only uses word sizes which is what causes  the incorrect parsing function to be used as  

16:17

we saw in bug a just to recap bugs A and  B work together to enable an outof bounds  

16:22

right past the boundary of the NT fist injecting  arbitrary data into the subsequent memory location  

16:29

within the non-paged kernel pool if you're like  me you've probably been hearing the term buffer  

16:34

overflow thrown around for quite some time despite  being frequently discussed and widely recognized  

16:40

as a severe vulnerability buffer overflows on  their own are rarely enough to compromise the  

16:45

system just because an attacker is able to trigger  a bug doesn't mean that they're able to use it for  

16:50

anything useful how would the attacker even know  what data lies outside of the buffer there's a  

16:55

wide variety of buffer overflow protection and  mitigation techniques standing in their way such  

17:00

as address space layout randomization which breaks  address space predictability and data execution  

17:05

prevention which marks certain memory regions  as non-executable Eternal blue pairs this buffer  

17:11

overflow with more sophisticated techniques which  we'll see shortly when I was researching for this  

17:16

video I came across this Defcon presentation by  Zer sum 0x0 which was invaluable in understanding  

17:23

the types of techniques you might see at  this level understanding these attacks often  

17:27

requires a strong Foundation of knowledge and  understanding combined with effective problem  

17:32

solving skills this is where today's video sponsor  comes in brilliant with brilliant you learn by  

17:38

doing engaging with thousands of interactive  lessons in math programming computer science  

17:43

data science and AI brilliant offers lessons  that are designed to instill proper principles  

17:49

and teach you fundamentals from the ground up in  a Hands-On environment all content on brilliant  

17:54

is crafted by an award-winning team of teachers  researchers and Prof professionals from schools  

18:00

such as MIT and Caltech and even industry Partners  such as Google and Microsoft all of their lessons  

18:06

are filled with Hands-On exercises that let you  play with Concepts in real time a method proven  

18:11

to be more effective than simply watching  lecture videos brilliant helps to build real  

18:16

world critical thinking skills through problem  solving not memorizing so while you're building  

18:21

real knowledge on specific topics you'll also be  becoming a better thinker the best part you don't  

18:26

need to dedicate hours at a time to learn learning  developing a daily habit of learning is going to  

18:31

keep your mind sharp and your information diet  rich which is invaluable for both personal and  

18:36

professional growth that's why brilliant provides  its lessons in manageable bite-sized pieces that  

18:41

can be done whenever wherever helping you build  real knowledge in just minutes a day personally  

18:47

I replaced a lot of my social media scrolling  with brilliant and I wouldn't look back you can  

18:52

start to learn the core mechanics powering  the everyday Technologies we all know and  

18:56

love such as search engines neural netor works  cryptocurrency or even Quantum Computing most  

19:02

recently I took their course on large language  models which gives you hands-on experience with  

19:07

real language models you get to explore the  impact that training data has on the model's  

19:11

output and even spend some time learning how  to tune an llm to become better suited toward  

19:16

a specific task this is increasingly relevant  to the age of AI assistant and with the rise of  

19:22

adverse serial machine learning attacks a robust  set of problemsolving skills and a wide breadth  

19:27

of knowledge are often key in being able to spot  patterns and piece together Solutions in the world  

19:32

of cyber security to try everything brilliant  has to offer for free for a full 30 days visit  

19:38

brilliant.org Danel boter or click the link in  the description you'll also get 20% off in annual  

19:44

premium subscription this concludes part one of  this two-part series to continue with the series  

19:50

check out part two which will be available  here once it's released thanks for watching